CVE-2023-52890

A use-after-free vulnerability exists in NTFS-3G's ntfs_uppercase_mbs() function in libntfs-3g/unistr.c, affecting versions prior to commit 75dcdc2. The bug occurs when utf8_to_unicode() returns -1, indicating a conversion failure. In the code path, after failing, the function frees the upp buffer and sets it to NULL. However, immediately afterward, the code attempts to dereference t (which is equal to upp) to write a null byte (*t = 0;), resulting in a write to freed memory [1].

The vulnerability is triggered when processing malformed UTF-8 input that causes the conversion routine to fail. An attacker would need to provide a specially crafted filesystem image or induce an error while mounting or manipulating NTFS volumes, which may require local access or the ability to mount a malicious volume. The exploitation prerequisites are specific and the discussion notes that achieving arbitrary code execution would be challenging [1].

If exploited, the use-after-free could lead to memory corruption, potentially causing a crash or other undefined behavior. Although the impact is rated as Medium (CVSS v3.1 4.5) due to the difficulty of exploitation, it could be leveraged in certain scenarios to escalate privileges or achieve denial of service.

The issue was addressed in commit 75dcdc2, which removes the problematic *t = 0; statement. Users are advised to update NTFS-3G to the latest version or apply the patch [1].